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Abstract 

Some, but not all, extractors resist adversaries with limited quantum storage. In this paper we show 
that Trevisan's extractor has this property, thereby showing an extractor against quantum storage with 
logarithmic seed length. 

1 Introduction 

In the classical privacy amplification problem Alice and Bob share information that is only partially secret 
towards an eavesdropper Charlie. Their goal is to distill this information to a shorter string that is completely 
secret. The problem was introduced in The classical privacy amplification problem can be solved 

almost optimally using extractors^ 

An interesting variant of the problem, where the eavesdropper Charlie is allowed to keep quantum in- 
formation, was introduced by Konig, Maurer and Renner | [T4l[T5l . Let us call such an extractor an extractor 
against quantum storage^ This situation naturally occurs in analyzing the security of some quantum key 
distribution (QKD) protocols and in bounded-storage cryptography. For example, [5 ] show a generic way of 
using extractors against quantum storage to prove the security of certain QKD protocols. Using extractors 
for bounded-storage cryptography demands more from the extractor (it should be "locally computable"), but 
also allows more specific assumptions about the source distribution (e.g., IPT71 and iPToll ). 

Special cases of the problem are also of great interest. The first such example appears in H] [191121 where 
random access codes are studied. Alice and Bob share a random length n string x on which the eavesdropper 
Charlie knows b bits of information. If Charlie is classical, then choosing a random i S [n] and outputting 
Xi results in an almost uniform bit. The question studied in the above papers is wether the same also holds 
when Charlie is quantum and may hold b quantum bits. It was shown in ffldUE] that the answer is positive, 
and this gives an extractor against quantum storage, albeit, with a single output bit. 

Konig, Maurer and Renner lfl4l [T31 show that the pair-wise independent extractor of lPT3l is also good 
(and with the same parameters) against quantum storage. Using the same techniques the result can also 
be extended to using almost pair-wise independence ll22l ITOl . Another classical extractor for very high 
min-entropies was shown to hold against quantum storage in [H (the classical version appears, e.g., in ll6l). 
Konig and Terhal [17 ] showed that any single output extractor is also good against quantum storage. They 
also showed that any extractor with error e, has at most 2° w e error against b quantum storage. Thus, if 
some extractor has a good dependence on the error (as is often the case) one can make the extractor good 
against b quantum storage by taking a longer seed (often, longer by only 0(b) bits). 

It is tempting to conjecture that every extractor against classical storage should also be good against 
quantum storage. However, Gavinsky et. al. [9] show an example of an extractor that works well against 
classical storage but fails even against much shorter quantum storage. 
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To summarize, many techniques and constructions generalize and work well against quantum storage. 
Yet, in spite of much effort, none of the above methods give a short seed extractor against quantum storage. 
|[T4l[T5l have seed length Q,(n) and the variant with almost pair- wise independence has seed length f2(m), 
where n is the length of x and m is the output length. [8] requires the seed length to be Q(b) where b 
is the bound on the quantum storage. ifTTll show any single output bit extractor is good against quantum 
storage, and for m bits their method gives m log n seed length. Alternatively, they show one can do with 
0(logn + b) seed length, which is again not applicable if b is relatively large (say, super-polynomial). In 
contrast, classically, there are many explicit constructions with poly-logarithmic seed length, some even 
with logarithmic seed length. Some of these constructions are summarized in Table [T] A natural question 
that repeatedly appears in the above mentioned papers is whether one can show a logarithmic seed length 
extractor against quantum storage. 

In this work we show that Trevisan's extractor [24] is also good against quantum storage, with somewhat 
weaker parameters. 

Theorem 1.1. There exists a constant c > 1, such that for every k,b < n and e > there exists an explicit 
(k, b, e) strong extractor E : {0, l} n x {0, 1} — » {0, l} m against b quantum storage, with seed length 

t = and ° ut P ut len Sth m = (f ) 1/c ). 

Plugging k = n which is the usual setting for privacy amplification, we get: 

Corollary 1.1. For the above constant c,for every (3 < 1, 7 < there exists an explicit (n, b = n' 3 , e = 
n -7 ) strong extractor E : {0, l} n x {0, l} 4 — > {0, l} m against quantum storage, with output length rf 1 ^ 
and seed length t = 0(log n). 

The seed length is 0(log n) and matches classical extractor's lower bound up to constant multiplicative 
factors. The error e is not that good, as it can not get below, e.g., 1/k. The number of extracted bits is nf 1 ^. 
This should be compared with for ( arbitrarily small, in Trevisan's extractor against classical storage. 
Thus we have a polynomial loss here compared to the original classical scheme. 

Table Q] summarizes the parameters of the known classical extractors against quantum storage. Our work 
gives the first solution to the privacy amplification problem against quantum storage with logarithmic seed 
length. We believe that other extractor constructions should also be good against quantum storage. 

The technique. One way to view Trevisan's extractor is as follows. We already said a random access 
code is a classical extractor outputting a single bit. One can take m independent copies of this extractor and 
get an extractor outputting m bits. The price of this is that the seed length becomes Q(m). To fix this, in 
Trevisan's extractor a short seed of length 0(log n) is used to create m sets that are pair-wise nearly-disjoint. 
The analysis shows that in the classical setting the m nearly-disjoint sets can replace the m independent sets, 
resulting with m output bits but only 0(log n) seed length. 

Can this also work against quantum storage? Anbainis et al. show a random access code is a single- 
output extractor against quantum storage. Konig and Terhal ifTTl show taking m independent copies of this 
extractor is good against quantum storage. What about the derandomized version with pair-wise nearly- 
disjoint sets? Is it also good against quantum storage? 

The analysis of Trevisan's extractor uses the fact that it is built upon a reconstructible pseudo-random 
generator (PRG). Loosely speaking, in such structures any mechanism that breaks the extractor (i.e., distin- 
guishes its output E(x, U) from uniform) can be used together with a short advice to reconstruct its input x. 
This kind of reasoning looks well suited to generalizations to extractors against quantum storage. Assume 
Charlie can distinguish the extractor output E[x, U) from uniform using b qubits of storage. Then, the re- 
construction property tells us we should be able to reconstruct x using Charlie's reconstruction procedure, 
his b qubits of information and a short advice of a classical bits. Thus, we can reconstruct x G {0, 1}™ using 
only a + b qubits. Basic Quantum information theory tells us then that a + b > n, or putting it differently, 
whenever b < n — a, we output uniform bits. 

3 The constant c we currently achieve is c = 15. 
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Table 1: Milestones in building explicit strong extractors against b storage, in the classical and quantum 
setting. The error e is a constant. 



A fundamental problem that arises in the proof is that quantum advice is fragile, and using it once 
degrades it. This is exactly the main problem dealt with in (T] [I9j [2]]. Simplifying things, this problem 
forces the reconstruction algorithm to making only few queries to Charlie. Thus, a key ingredient in our 
solution is replacing the error correcting codes used in Trevisan's extractor with locally list-decodable codes 
(see Section HJ). Another problem is that the analysis requires random access codes of subsets. We explain 
the technical problems we encounter and their solution (and the way this affects the parameters) in detail in 
the technical sections. 



2 Preliminaries 

We begin with some standard notation. A distribution D on A is a function D : A —> [0, 1] such that 
^ agA Z)(a) = 1. x G D denotes sampling according to the distribution D. Ut denotes the uniform 
distribution over {0,1}*. We measure distance between two distributions with the variational distance 
d(Dx,D 2 ) = ||Di - D 2 \i = ^£ a6A |#i(a) " D 2 (a)\ = max 5 cA^i(S) - D 2 (S), where D(S) = 
EsesD(s)=PiaeD(a€S). 

The entropy of D is H(D) = E a6 £> log(l/D(a)). The min-entropy of D is Hoo(D) = mm a . D ^ >0 1/ \og(D(a)). 
If Hoo(D) < k, then for all a in its support D(a) > 2~ k . A distribution is flat if it is uniformly distributed 
over its support. For flat distributions H ao (X) = H(X). Every distribution X with H^X) > k can be 
expressed as a convex combination £ a^Xj of flat distributions Xi each with min-entropy at least k. 

A superposition is a vector in some Hilbert space. 7i 2 b denotes a Hilbert space of dimension 2 b . A 
general quantum system is in a mixed state — a probability distribution over superpositions. Let {p i: \4>i)} 
denote the mixed state where superposition |<^) occurs with probability pi. The behavior of the mixed state 
{pi, \ 4>i}} is completely characterized by its density matrix p = YliPi l^i'Pil i n the sense that two mixed 
states with the same density matrix have the same behavior under any physical operation. Notice that a 
density matrix over a Hilbert space TL belongs to Hom(Ti,Tt), the set of linear transformation from TL to 
H. Density matrices are positive semi-definite operators and have trace 1. 

A POVM (Positive Operator Value Measure) is the most general formulation of a measurement in quan- 
tum computation. A POVM on a Hilbert space TL is a collection {Ei} of positive semi-definite operators 
Ei : Hom(TL,TL) — * Hom(TL,TL) that sum-up to the identity transformation, i.e., Ei y and £ £i = I. 
Applying a POVM {Ei} on a density matrix p results in answer i with probability Trace(Eip). 

3 Extractors against quantum storage 
3.1 Extractors and privacy amplification 

Alice holds a string x drawn from the uniform distribution. An adversary C is given some partial information 
about x in two ways: 
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• First, C is told a small subset X C {0, l} n from which the input x is taken. 

• Second, we let C keep b bits of information about x. 

In the classical world we model the second item by two arbitrarily correlated random variables X and 
C, with the constraint that C is distributed over {0, l} b . In the quantum world, we say an (n, b) quantum 
encoding is a collection {p(x)} x& ^ of density matrices p(x) G H 2 b, and we let C hold any (n, b) 
quantum encoding of X. 

Our goal is to find a function E : {0, l} n x {0, 1}' -> {0, l} m such that E(X,U t ), which is the 
distribution obtained by picking x £ X,y <E Ut and outputting E(x,y), "looks uniform" to the adversary 
C. We define this as follows. We say a boolean test T e-distinguishes Di from D 2 if | Pr Xl£ Di [T{xi) = 
1} — Pr x . 2e £) 2 [T(x2) = 1]| > e. We say D\ is e-indistinguishable from D 2 if no boolean POVM can e 
distinguish D\ from D 2 . We define: 

Definition 3.1. A function E : {0, l} n x {0, 1}* — > {0, l} m ij a (/c, b, e) strong extractor against quantum 
storage, if for any distribution X C {0, l} n vviY/z H OQ (X) > k and every (n, b) quantum encoding {p(x)}, 
Ut o E(X, Ut) o p(X) is e-indistinguishable from Ut+ m o p(X)^\ 

In the definition we could have replaced the condition "for any distribution X C {0, l} n with (X) > 
k" with the condition "for any fiat distribution X C {0, l} n with H O0 (X) > k", as any distribution X C 
{0, l} n with H^X) > k can be expressed as a convex combination of flat distributions with min-entropy 
k. 

We similarly define a (k, b, e) strong extractor against classical storage, where we allow the adversary C 
two types of information: first we tell C that x is drawn from a small subset X C {0, 1}™, and second, we 
let C store b bits of information about x. However, classically, these two types of information are redundant. 
Formally, 

Lemma 3.1. Let E : {0, l} n x {0,1}' {0, l} m . Let k > b > and e > 0. If E is a (k - b - log e -1 , e) 
strong extractor then E is a {k, b, 2e) strong extractor against classical storage. 

Proof. Let X be a flat distribution over 2 h elements. Assume C keeps b bits of information. Except for 
probability e, C gets a value c such that Pr[C = c] > e2~ 6 and so H^X^ = c) > k — b — loge -1 
and therefore {Ut o -E^X, Ut) \ C = c) is e close to uniform. Thus i? is a (fc, b, 2e) strong extractor against 
classical storage. □ 

A (k — b — log e , e) extractor is not necessarily a 6, 2e) strong extractor against quantum storage. 
One formal reason is that it is not clear how to define the conditional distribution (X\C = p) when C may 
be quantum. Renner 11211 defines smooth min-entropy for this case, but still it is not clear how to define the 
marginal distribution itself as it depends on which measurement C chooses to take later. 

Another way to look at the problem is as follows. In the classical world, C has to first choose c bits 
of information about x which already determines a distribution (X\C = c), and only then an independent 
random seed y G {0, 1}' is chosen and E(x,y) is calculated. In the quantum world, however, things are 
not that simple. C first chooses c qubits of information about x. This by itself does not determine any 
classical distribution X on {0, l} n . Next, an independent random seed y £ {0, 1}' is chosen and E(x, y) 
is calculated. Finally, C may choose which measurement to make based on x and y. The problem is that it 
may be possible for C to make a measurement that will correlate the distribution X with the seed y, making 
the extractor useless. This point of view is further explained in [ 17 ]. 

4 (7t o E(X, Ut) o p{X) denotes the mixed state obtained by sampling x G X, y G {0, 1}' and outputting \y, E(x, y)) ®p{x). 
Similarly, Ut+m x p(X) denotes the mixed state obtained by sampling w G {0, l}' +m , x G X and outputting \w) ®p(x). 



4 



3.2 Random access codes 



A similar problem to the one above appears in random access codes. We now explain what random access 
codes are, as this will turn out to be a basic building block in our result. A fundamental result in quantum 
information theory, Holevo's theorem lfl2l . states that no more than b classical bits of information can be 
faithfully transmitted by transferring b quantum bits from one party to another. Formally, 

Theorem 3.1. (Holevo) Let {p(x)} be any (n,b) quantum encoding. Let X be a random variable with 
distribution {p x } and let p(X) = ~E x p(x) = Y^ x PxPx- IfY is any random variable obtained by performing 
a measurement on the encoding, then I(X : Y) < S(p(X)) — ~E x S(p x ) < S(p(X)). 

In view of this result, it is tempting to conclude that the exponentially many degrees of freedom latent 
in the description of a quantum system must necessarily stay hidden or inaccessible. However, the situation 
is more subtle since the recipient of the n qubit quantum state has a choice of measurement he can make 
to extract information about their state. In general, these measurements do not commute. Thus making a 
particular measurement will disturb the system, thereby destroying some or all the information that would 
have been revealed by another possible measurement. Indeed, Ambainis et. al. [1] ask whether there exists 
an (n, b) quantum encoding {p(x)} such that the recipient can learn any bit X{ of his choice. I.e., they define: 

Definition 3.2. ^ A n & t quantum random access encoding is an (n,t) encoding {p(x)} xe ^ X |n such 
that for every 1 < i < n, there is a POVM S i = {Ei,S\} (i.e., + £\ = I,£j t 0) such that for all 
x G {0, 1}™ we have Trace(£* .f(x)) > p. 

|fT9l l2l show that any quantum n A- t encoding must have t > (1 — H(p))n. In fact, this lower bound 
also holds if we relax the worst-case condition V x VjTrace(£* f(x)) > p and replace it with the average-case 
condition V x EjTrace(£* ./(x)) > p. 

In this paper we need random access codes that are defined for subsets of {0, l} n . Namely, 

Definition 3.3. Let T C {0, 1}™. A T i— ► t quantum random access encoding is an (n, t) encoding 
{p(x)} xG jr such that for every 1 < i < n, there is a POVM£ i = {£{,,£{} (i.e., £ l + £{ = I,£j t 0) such 
that for all x S i £ [n] we have Trace(£ x .f(x)) > p. 

We prove: 

Theorem 3.2. Let 5 > 0, T C {0, 

-+s 

1. Any quantum T 2 t— > t encoding satisfies t > ^(y^f^ ' 1°6 I^D- 

2. Any quantum T h-s? t encoding satisfies t > Q( — • log \ 

-+S i 
Proof. We use the proof technique of (H. First, one can turn the T 2 t-^ t encoding into another T \— > 

0(t x T) encoding, with T = 0(log e~ l /5 2 ), as follows. The new encoding is T copies of the original 

encoding. The decoding is the majority vote over the T decodings of the T copies. By Chernoff, The 

probability of error is at most e. 

Fix e = -% for some constant c that will be fixed later. Consider some / G T and its encoding p = p(f). 

For every i G [n] the measurement £ l recovers /j with probability at least 1 — e, i.e., almost with certainty. 

It is shown in [ ljUthat applying sequentially the measurements £ 1 , . . . ,£ n results in a distribution Y that 

outputs (fx, ... , f n ) with probability at least 1 — An^fe = 1 — A-\fc. Taking c small enough, we recover y 

with probability \. By Holevo's theorem, Tt > I(U r : Y) > \ log(| 

For the second item notice that one can turn a T t encoding into another T 0(t x T) encoding, 
using T = 2 log 4< 5 e, and the rest is as before. □ 

implicit in the proof of Lemma 4.2. 
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Oded Regev showed us an example where the bound in Theorem l3.2l is tight. Partition the n bits to y/n 
blocks each of size y/n. Take the set T to be all bit strings containing exactly one 1 in each block. T has 
Q(^/n ■ logn) entropy. Yet, consider the following RAC that uses only 0(y/n + logro) bits. Given / E T, 
with indices i\, . . . , (i.e., index ij is 1 in the j'th block) the RAC encodes / by (h, h(ii), . . . , h(ik)), 
where h : [y/n\ —>■ [10] is randomly chosen from a family of pairwise independent hash functions. When 
asked for a bit t of the input, say, from the j'th block, the decoder just checks whether h(t) = h(ij). It 
outputs 1 if yes, otherwise 0. By the pairwise independent property, we output the correct answer with 
probability 2/3 for each question. 

We proved Theorem 13.21 with the definition that is worst-case over i. We remark that the average case 
version is false. For example, if T is the set of all n bit strings of weight at least |n, there is a trivial random 
access code of length zero that for all / E T succeeds on average over i with probability at least 2/3. Thus, 
here there is a crucial difference between worst-case and average-case complexity over i. 

4 Local list-decoding 

A code is a function C : Y7 1 — > S n . We identify a binary code C with its image C = {C(x) \ x E S n }. The 
distance d of the code is the minimum distance between two codewords in C. The balls of radius around 
codewords are disjoint, and therefore one can uniquely correct up to so many errors. If we allow more than 
d/2 errors several decodings are possible. In many cases one can allow almost up to the distance errors and 
still get only few possible decodings. We say C is (p, L) list-decodable if for every zeE" there are at most 

L codewords y such that ag(z, y) = f \{i E [n]\zi = yi}\ > pn. 

As always one can study the combinatorial properties of a code, or ask for an explicit decoding algo- 
rithm. If the decoding algorithm makes only few queries to the corrupted word, we say it is local. Formally, 

Definition 4.1. (local list-decoding) Let C : Y7 1 — > We say C has a (p, L, q, (3) local list-decoding if: 

• C is (p, L) list-decodable. 

• There exists a probabilistic, polynomial time oracle machine A that on input k E [L] and i £ [n] 
outputs a value A*(k, i) £ {0, 1}. A can make at most q queries and each query is in the range [n]. 

• For every deterministic function y : S n — ► £ and every x £ S n such that ag(y,C(x)) > pn, there 
exists k £ [L] such that for every i £ [n], Vta[A v (k,i) = x{i)\ > (3. 

Sudan, Trevisan and Vadhan proved: 

Theorem 4.1. H23\l For every 5 = S(n) > 0, there exists an explicit [n, n]2 binary code with output length 
n = poly (n, j) and poly (n) encoding time, that is (p = ^ + 5,L = poly(n),q = poly (logn, jj), (3 = 1 — 5) 
local list-decodable)^ 

In our case we do not have access to a deterministic function y : [n] — > X, but rather to a probabilistic 
procedure that has high on average success probability. We are given a probabilistic oracle O : [n] — * S. 

For y : [n] — > S define ag(0, y) = f P^i^[n],o(0(i) = y(i))- We would like to do local list-decoding when 
given access to O. Formally, 

Definition 4.2. (probabilistic oracle, local list-decoding) Let C : S n — > We say C has a (p, L, q, (3) 
probabilistic oracle, local list-decoding if: 

6 The code in [23] is Reed Muller concatenated with Hadamard. The list-decoding algorithm first list-decodes the Hadamard 
code, and then uses the result to list-decode the Reed Muller code. As the Hadamard list decoding returns a list, it is better to use 
there list recovery. Working out the parameters we get field size \F\ that is \F\ = 0( lo ^ \ n ). With |F| 3 queries the algorithm 
solves the local list-decoding problem, worst-case over i. We remark that using a better inner code the query complexity can be 
reduced. 
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• C is (p, L) list-decodable. 

• There exists a probabilistic, polynomial time oracle machine A that on input k G [L] and i G [n] 
outputs a value A*(k, i) G {0, 1}. A can make at most q queries and each query is in the range [n]. 

• For every probabilistic oracle O : S n — > D and every x G S n such that ag(0,C(x)) > pn, there 
exists k G [L] such that for every i G [n], Pva[A° (k, i) = x(i)] > 0. 

If we are just interested in list-decoding (with no restriction on the number of queries) then list decoding 
a probabilistic oracle is essentially the same as list decoding a string. This is because we can take O, and for 
every query j G [n] sample yj = 0(j). By Chernoff, with high probability, the sampled string y also has 
high agreement with C(x) and therefore the string x appears somewhere in the output list of y. 

The above argument does not work for local list-decoding. Here we need the index k to depend on 
O alone, and not on the sampled string y or the index i. This is an essential requirement, as in local list- 
decoding we do not reconstruct the whole string x, but rather a single bit Xi of it. The above argument 
therefore does not work, as it may happen that the index of x in the list of y depends on the sampled string 
y, and not just on O as required by the definition. 

Luckily, going back to the construction of ll23ll one can check that essentially the same analysis shows 
thatJZl 

Theorem 4.2. (based on [23]) For every 5 = S(n) > 0, there exists an explicit [n,n]2 binary code 
with output length n = poly(n,$) and poly (n) encoding time, that is (p = \ + 5, L = poly(n),q = 
poly (log n, = 1 — 5) probabilistic oracle, local list-decodable. 

5 Black-box PRGs 

Trevisan showed that good classical black-box PRGs give rise to good classical extractors. In this section 
we show that good classical black-box PRGs with few queries give rise to good classical extractors against 
quantum storage. 

We begin with a purely classical definition: 

Definition 5.1. (black-box PRG) Let G /:[n ^ {0,1} : {0, 1}* -> {0, l} m be a classical oracle machine with 
oracle calls to a function f : [n] — > {0, 1}. (G? , R) is a black-box (e,p)-PRG with a advice bits and q 
queries, if: 

• Ris a classical oracle circuit R(adv, i) with inputs adv G {0, l} a and i G [n]. Also, R makes at most 
q queries to T. 

• For every Boolean function f : [n] — > {0, 1}, and every probabilistic oracle T that e— distinguishes 
Ut o G' (Ut)from uniform, there exists an advice adv = adv(T, f) G {0, l} a such that for all i G [n], 
Vr^ T [R T (adv,i) = f(i)} >p. 

We call R the reconstruction algorithm. Sometimes we omit R and say is a black-box (e,p)-PRG, 
meaning that there exists some reconstruction algorithm such that (G* , R) is a black-box (e,p)-PRG. 

Trevisan [24] showed that black-box pseudorandom generators give rise to extractors. We show they 
actually give rise to extractors against quantum storage, alas their quality depends on the number of oracle 
calls in the reconstruction algorithm. 

7 This is because the advice for a; is a point v and a value a such that x(v) — a, were x is the low-degree extension of x, and 
with high probability such an advice separates for most of the sampled strings y, the true codeword C(x) from the other codewords 
that arise from y. 
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Proposition 5.1. (generalizing [24]) Let G? , R be as above. Suppose (G^,R) is a black-box (e,p = 1 — 5)- 
PRG with a advice bits and q queries. Then E : {0, l} n x {0, 1}* -» {0, l} m defined by E(f, y) = G%) 
is a (k, b, 2e) strong extractor against quantum storage, for k = ^(i^f^jjy ( a ^)) e_1 - 

Proof. Let T be a quantum test using 6 qubits of side information p. We currently think of T as a probabilis- 
tic oracle. Let J 7 be the set of all functions / £ {0, 1}" for which T e-distinguishes UtxE(f, Ut) x p(f) from 
U t xU m x p(f). We will show = 2 (( a +9 b H°gMA°s (V^))_ It wiU then follow ^ for any x c {0, l} n , 
|Pr[T(*7 t x£(X,t/ t )xp(X)) = l]-Pi[T(U t xU m xp(X)) = 1]| < Pr[T([/ t x t/ t )xp(x)) = 

l]-Pr[T(f/ t x U m x p(x)) = 1]| < e + Pr^exfx G J 7 ]. Thus, £ is a (log 6, 2e) strong extractor against 
quantum storage. 

We now show T is indeed small. For any f £ J 7 , given the right advice adv = adv(T, f) G {0, l} a 
the circuit R 7 (adv, •) computes / : [n] — > {0, 1} with g queries to T and worst-case (over i) success 
probability p. We replace each of the q queries to T with a quantum circuit acting on its classical input and 
an independent 6-qubit state that is initialized to p(f). Thus, altogether, the new circuit uses qb qubits of 
side information. Notice that because the inputs to the different queries are in product state, the answers 
to the T queries are independent. The resulting quantum circuit recovers the bits of / : [n] — > {0, 1} with 
probability p (worst-case over i). Thus, T has a random access code of length a + qb and worst-case success 
p = 1 - 6. By TheoremEal item ©, a + qb = 0( '°^ 1 g / ^ ) log\F\) as desired. □ 

Thus, we reduced the problem of finding extractors against quantum storage to the classical question of 
finding good black-box PRG with/ew queries. In the next section we will prove: 

Theorem 5.1. Let e > 0, m < n. There exists an explicit black-box (e, 1 — ^-) PRG G^M^i ' 1 } : 

{0, 1}* -> {0, l} m with a = 0(m 2 -flog f ) advice bits, seed length t = 0(-^^) and q = poly(log n, ™ ) 
queries. 

Plugging Thm l5.1l into Proposition 15 . 1 1 we get Theorem ll.il 
5.1 A black- box PRG with few queries 

Trevisan's PRG l24l is based on the Nisan-Wigderson PRG l20l . which has a good on average reconstruc- 
tion algorithm. Formally, 

Definition 5.2. Let G? , R be as above. (G? , R) is a black-box (e, p)-PRG with average-case reconstruction 
with a advice bits and q queries, if for every Boolean function f : [n] — ► {0, 1}, and every probabilistic 
oracle T that e-distinguishes Ut ° G* (Ut) from uniform, there exists an advice adv = adv(T, f) £ {0, l} a 
such that R T (adv, x) makes at most q queries to T and Pr[R T (adv, i) = f(i)] > p, where the probability 
is over a uniform i £ [n] and the internal coins of R and T. 

The NW PRG is a black-box PRG with average-case reconstruction. Specifically, for every e > 0, 
NW /:[t, ^ {0 ' 1} : {0,1}* -» {0, l} m has (e,p = \ + ^) average-case reconstruction with a = 0(m 2 ) 

advice bits and t = 0( l °^^ ). The NW reconstruction algorithm uses exactly one oracle call to the distin- 
guishing algorithm. Trevisan used that to prove the following: 

Lemma 5.1. (Trevisan's worst-case to average-case reduction for black-box PRG) Assume (G*,R) is 
a black-box (e, ^ + 5)-PRG with average-case reconstruction using a advice bits. Further assume the 
reconstruction algorithm R is deterministic. Let C[n,n]2 be a + 6, L) list-decodable code. Define 
TR/ (y) = NW c(/) (y). Then TR f is a black-box (e,p)-PRG with a + log L advice bits. 

Proof. Suppose T e-breaks the PRG TR / = NW c(/) . W.l.o.g. we can assume T is deterministic. Let 
/ = C(f) £ {0, 1}™. Given the right advice adv = adv(f,T) to R, R T (adv, ■) is a deterministic func- 
tion computing /j with average success probability p over i £ [n], and using only one query to T. The 
advice to the new reconstruction algorithm R' includes the string adv. R' uses the reconstruction algorithm 
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R T (adv, •) on each j G [n]. The resulting string y G {0, l} n has + <5)n agreement with /. We now use 
the list decoding algorithm to get a list of up to L codewords in C that are \ + 5 close to y. We know / is 
the list. By adding log(L) bits to the advice, we can let the advice tell us which of the codewords in the list 
is /. We have recovered / using a + log L advice bits and n queries. □ 

Trevisan could tolerate n queries. We, however, in light of Proposition 15.11 need to reduce the number 
of queries. We still want, however, a worst-case reconstruction. The idea is to take C to be a locally list- 
decodable code. As our oracle is a probabilistic function what we actually need is a probabilistic oracle, 
locally list-decodable code. This leads to: 

Lemma 5.2. (worst-case to average-case reduction for black-box PRG using only few queries) Assume 
(G*, R) is a black-box (e, \ + 5)-PRG with average-case reconstruction using a advice bits. Let C be a 
(p = \ + 5,L,q,f3) probabilistic oracle, local list-decodable binary code. Define TR/(y) = NW c ^'(j/). 
Then TR f is a black-box (e, (3)-PRG with a + log L advice bits and q queries. 

Proof. Suppose T e-breaks the PRG TR f = NW c(/) . Let / = C(f). Given the right advice adv = 
adv(f,T) to R, R T (adv,i) computes /j with average success probability p = ^ + 5 over i G [n] and a 
single query to T. The advice to the new reconstruction algorithm R includes the string adv. 

Now assume we ask R for the value of fi, i G [n], i.e., we wish to compute R T (adv,i). We do 
that as follows. We apply the probabilistic oracle, local list-decoding algorithm of C, and get q queries 
ii,...,iq G [n] to / = C(f). We answer the j'th query with the probabilistic oracle R T (adv, ij) and we 
output the decoding result. By the probabilistic oracle, local list-decoding property, for every i G [n] the 
reconstruction oracle R' T , with additionally the right k G [L], outputs the right answer with probability at 
least (3. □ 

Putting it together, we prove Theorem 15. II 

Proof. Let e > 0, m < n. Let NW /:[n] ^ {0 ' 1} : {0, 1}*' -» {0, l} m be the Nisan-Wigderson PRG with 
a = 0(m 2 ) advice bits and t' = 0( 1 1 °|^ ). Nisan and Wigderson showed that NW^ is a black-box 
(e, 5 + 8) PRG with average reconstruction and 5 = 

Let C be the (p = | + 5,L = poly(n),q = poly(logn, = 1 — 5) probabilistic oracle, local 

list-decodable binary code of Theorem Define TR/^ - ^ ' 1 * : {0,1}*' -> {0, l} m by TR/(y) = 

NW c(/) (y) with t' = 0(igL£). By LemmaElTR/ is a black-box (e, 1-8) PRG with a = 0{m 2 +log f ) 
advice bits and q queries. □ 

6 Open problems 

The ideal solution to the problem of classical extractors against quantum storage, is to find a natural, generic 
transformation from a strong extractor to a strong extractor against quantum storage with about the same 
parameters. Gavinsky et. al. [9 ] showed this is impossible. Is there a natural class of constructions that does 
hold against quantum storage? Even if not, a natural objective is to prove that many of the current explicit 
extractors (and in particular lfT8l[TTi r7l) are good even against quantum storage. 

The parameters given in Theorem 11.11 can probably be improved. It would be interesting to construct 
an extractor against quantum storage with logarithmic seed length and arbitrarily small polynomial error, as 
this may serve as a building block in other constructions. 
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